Authors: Mike Gentile, Editor, CISOHandbook.com & Ron Collette, Editor, CISOHandbook.com

If we were to tell you that most security programs, in the typical organization, are struggling to define and obtain security success we are sure that you would not be terribly surprised. It is our belief that the primary reason in which our discipline, and specifically most organizational security efforts, are having difficulties is that they do not enlist the rest of the organization to assist with their efforts.

We believe this concept is clearly illustrated in a recent survey that we conducted of approximately 100 security officers at www.CISOHandbook.com. According to the survey data below, only 17% of the respondents believed that those outside of their security program would know anything about their security mission & mandate. We felt that this presented an opportunity to provide some practical tips for getting the word out on your security efforts.

1. Make Sure You Have a Security Program Mission & Mandate
This should be a no-brainer, but many security programs still lack an approved and articulated Mission & Mandate that reflects their overall program strategy and direction. This is often the case because of an immature security effort, lack of executive support, or other common organizational pressures. Regardless of the reason, this is akin to taking the field in a football game without team goals or overall direction; such as winning the game or keeping the other team from scoring. If you want to be successful, then you must make sure you have a realistic Mission & Mandate for your security program. It is really that simple.

2. Make Sure Your Security Program Mission & Mandate is Documented
This concept is generally related to Item 1 since you cannot document a Mission & Mandate if you do not have one. There are many instances though where a security program will have a Mission & Mandate, but it is only known by the security team itself.

Before you can get the word out to others and petition for their assistance, you first need something to educate them with on your cause. A documented Mission & Mandate fits this need perfectly. However, make sure that it isn’t some flowery, dilbertesque manifesto. Rather something that truly captures your objectives and assigned mission. If you believe that your organization will not accept a realistic presentation of your Mission & Mandate, than it is time for an honest conversation with your management as to why this is the case. If you do not feel that you can have that conversation (which happens all the time), then perhaps it is time to start looking for a new job in an environment that in interested in a successful security effort. We know this is a harsh statement, it was intended to be.

3. Perform a “Road Show”
With a clear understanding and buy-in of what you are supposed to be doing for security, go on a road show to spread your message to the rest of the organization. The easiest way to do this is to create a presentation, one which will resonate with non-security oriented employees. We have found that if they will let you, weekly team meetings with the various groups in your organization are an excellent place to present this material. You can also invite the other groups into your security team meetings if that is more acceptable within your environment or culture. Another approach to consider would be to swap presentations, where you go to their team meeting to talk about security and then they come to your meetings to talk about their discipline. This helps make everyone a little bit smarter and can be a great team building exercise.

4. Inform People of Their Security Responsibilities
Regardless of the organization, it is now common that security is every employee’s responsibility. Actually, for security to work well in the modern work force, this credo is a bit of a necessity. However, before you can expect those outside of the security office to become interested and buy in to this idea you must first:
a) Let them know that they have a role to play in the security of the organization
b) Describe exactly what the associated responsibilities are for that role

The best approach for accomplishing this is two-fold. First, your best vehicle is to use your security training and awareness program to get the message out. If you are not doing security training and awareness or you do not have a formalized program, then you need to get one…fast. This is the best and cheapest security control that any security program has at their disposal. If you have limited budget, then a good place to start is to try and get 10-15 minutes to talk about security during the new hire orientation at your company. This is by no means sufficient, but it is better than nothing. Your second focus should be to work with human resources to ensure that specific and applicable security responsibilities are included within the job descriptions of every employee. Employees will generally pay much more attention when their responsibilities are clearly articulated in black and white.

5. Focus on the “Why”
Employees will almost always take an interest in security if you let them know why it is important that they perform a task in a particular manner. In all of your efforts to spread the word regarding security, make sure that you let them know why it is important and why they should care. This can often be the difference between malicious compliance and heartfelt support. Though this “tip” might not seem like much, it can make all the difference between a security effort that is supported and one that is simply ignored.

Conclusion
An organization that has enlisted the majority of employees to aid in the implementation of security is always going to be more successful than one that only has the members of the security team fighting the good fight alone. The good news is that it is not difficult to get people to help, in most situations you simply need to develop and package a clear message and then go out and educate. Nothing more than a clearly articulated presentation of what you are attempting to achieve, the aid that is required, and why you would need it. So if you haven’t yet, what are you waiting for!

CISOHandbook.com is a resource site for CISO’s, CSO’s, and security professionals. For more information go to www.CISOHandbook.com.

This entry was posted on Wednesday, February 20th, 2008 at 5:18 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.